[Oisf-users] Malware detection trough Mail how?

rmkml rmkml at yahoo.fr
Fri May 8 16:49:13 UTC 2015

Hi Nick and Jay,

Yes Jay you are right, if smtp network traffic is encypted: suricata failed ;)

but if your smtp network traffic is not encrypted, please test with this sig:

alert tcp any any -> any 25 (msg:"SMTP base64 Eicar antivirus test file attempt"; flow:to_server,established; 
content:"WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFO"; classtype:attempted-user; sid:1; rev:1;)

Warn: only work with smtp base64 mime encoding.
Don't forget enable or not cksum on suricata.yaml.

perl -e 'use MIME::Base64;print decode_base64("WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFO"),"\n";'

Don't forget enable smtp on suricata.yaml in last Suricata v2.1beta4:
   enabled: yes
    decode-mime: yes
    decode-base64: yes
    decode-quoted-printable: yes
    header-value-depth: 2000
    extract-urls: yes
    content-limit: 1000
    content-inspect-min-size: 1000
    content-inspect-window: 1000

But base64 decoding not work for me on my small test in last Suricata v2.1beta4.

Another is enabling all sigs in smtp-events.rules:
  alert smtp any any -> any any (msg:"SURICATA SMTP.......

Any comments is welcome.



On Fri, 8 May 2015, Jay M. wrote:

> You would need to sniff and often decrypt traffic somewhere between
> the Internet and your mail gate. Encryption usually hinders this
> process, and if you have a tap in place already, this is probably way
> you aren't seeing anything. Ideally your mail gate would have AV and a
> plethora of filter options to address e-mail malware.
> --
> Jay
> jskier at gmail.com
> On Fri, May 8, 2015 at 8:11 AM, Nick de Bruijn <nick_hyves at hotmail.com> wrote:
>> Hello all,
>> I can't figure out how I could use Suricata to detect malware.
>> I want Suricata to detect malware sent in email attachments.
>> Could someone explain me how I can do this?
>> Now when I sent myself an EICAR file, Suricata doesn't recognize it.
>> I would very much appreciate the help!
>> Kind regards,
>> Nick

More information about the Oisf-users mailing list